WP Multi-Network M2M communication platform …...Multi-Network M2M communication platform for...

WHITEPAPER

Multi-Network M2M communication platform for Siemens SCALANCE and RUGGEDCOM routers

June 2016

ENABLING GLOBAL IOT CONNECTIVITY

A new management platform for remote networks, SINEMA Remote Connect, is a server application which provides secure user access to remote plants or machines even when those machines are deployed in third-party networks or plants.

The management platform capability provided by SINEMA Remote Connect helps to simplify the configuration and management of remote access networks, terminal units and the associated OpenVPN connections. The intuitive user interface enables users to configure and manage security parameters associated with the point-to-point network connections either as groups or individually

Interconnecting users, remote systems and machines over the internet is most effectively performed using secure virtual private network (VPN) connections and industrial network routers. SINEMA Remote Connect makes configuration and maintenance of the required VPN tunnel keys and certificates easy and secure.

The SCALANCE M876-4 LTE industrial router is used to connect remote terminal units with the server. Setup is straightforward. When the SCALANCE router connects to the router to provide operational data it triggers an exchange of VPN certificate details between server and router via a secure https connection.

WHAT IS SINEMA REMOTE CONNECT


Since the VPN connection is always initiated by the industrial router, the field operator retains control of connecting their machine to the internet and to the SINEMA Remote Connect server.

Multiple devices can be setup in a similar way and can then be assigned into groups if appropriate and access permissions can be established for each group. Ultimately a secure network of machines and systems is created with the security credentials and access controlled by the central server.

In addition to managing the on-boarding of the terminals SINEMA Remote Connect also allows administration of various users. For example, service technicians must be provided with secure access to machines but that access can be limited to those machines and equipment which are individually relevant to them.

Access control and administration can be done via a secure web interface. User permissions and device or group assignments can be made ensuring that only authorised users can access the appropriate terminal units. This web interface access is via a secure VPN connection and using the SINEMA Remote Connect Client, which is included with the base package.

In addition, the SINEMA Remote Connect Server offers the machine manufacturer the opportunity to upgrade the SCALANCE industrial router. A new firmware version can be uploaded to the server, which is then subsequently uploaded to the SCALANCE devices via the connection to the server.

WHAT IS SINEMA REMOTE CONNECT


If the system components are in remote areas (such as water or sewage systems) or are mobile (eg, industrial vehicles, waste containers or compactors) then mobile wireless routers are used.

The SCALANCE M876-4 provided by SIEMENS is enabled with an LTE broadband connection for systems such as surveillance cameras. Lower data requirements and world-wide coverage is supported using 2G and 3G. (EV-DO for the US market is also supported). All mobile routers can be connected to the SINEMA Remote Connect management platform.

Local networking with PLCs, Camera’s and other terminals is achieved via the 2 or 4 (router version dependent) local LAN ports, via digital IO inputs or via SMS. This allows full control over the connections and connection duration of the remote stations. The SCALANCE router family meet the highest industrial requirements in terms of robustness, reliability and safety. Their intuitive usability also allows rapid troubleshooting by system personnel without deeper IT knowledge in the event of a breakdown. One option offered here is simple device replacement. This is made possible via the KEY-PLUG - a licensing and storage medium, which besides the automatic configuration interface and connection to the SINEMA Remote Connect Server, also enables the backup of the current device configuration.

In the unlikely event of the SCALANCE industrial router breaking down, the maintenance engineer on site only has to replace the device, insert the KEY-PLUG and after the next launch of the new SCALANCE device full functionality is available again.

SCALANCE M87X MOBILE WIRELESS ROUTER –MOBILE ENABLED


SINEMA Remote Connect

SINEMA Remote Connect

ClientOpenVPN -Tunnel

Application: using IT-Infrastructurewith SCALANCE S615 Router

Application: ADSL InfrastructureSCALANCE M816 Router

(not yet available)

Application: when no fixed lineinfrastructure available

SCALANCE M87x

e.g. Installation on customers own PC

Frei verwendbar © Siemens AG 2015. Alle Rechte vorbehalten.


Arkessa is a Machine to Machine (M2M) and Internet of Things (IoT) managed service provider and offer MVNO-style services to help Enterprise’s connect to the Internet of Things in a secure, reliable and globally scalable manner.

An MVNO (Mobile Virtual Network Operator) does not own a mobile radio network but aggregates multiple different networks and offers customers access to those via a single provider. This creates a global Connectivity solution but without the significant complication of establishing and maintaining relationships with numerous different Mobile Networks Operators.

Not only is network access simplified, a Management Platform enables customers to visualise, monitor and manage connections via a single user interface and in a standard way regardless of which mobile networks are actually used. These tools and management services help users optimise the deployment process, implement data and financial controls and apply additional security mechanisms across their IoT portfolio once operational.

Arkessa can also offer these same services on Satellite and Low-Power WAN technologies.

THE ROLE OF MVNOS IN PROVIDING OPTIMUM CONNECTIVITY FOR IOT PRODUCTS AND SERVICES


Global Cellular

Satellilte

Low Power WAN

BusinessSystemIntegration

ManagementPortal

Secure

Connectivity Management

Security

Monitoring

Reports & Alerts

Multi-Carrier Integration Secure Enterprise Integration

! !

!

!

!!

!

COMMUNICATION PLATFORM


The multi-network capabilities of an MVNO make it easier for IoT product companies to deploy nationally and internationally. Having a choice of networks for national deployments minimises coverage concerns. The ability to identify and connect to the network with the strongest signal and/or roam from one network to another means devices (whether stationary or mobile) can connect first time. Multi-network connectivity also provides the resiliency needed for ensuring superior customer experience be it a Consumer product or an Enterprise grade service in the Energy/Utility, Automotive, Building or Smart City domains.

These same benefits apply to multi-national deployments as well. The global network roaming capability allows Enterprises with facilities, people and assets deployed regionally or internationally to scale an MVNO solution to provide connectivity wherever they need it. Product and Service provisioning can be simplified, deployment and installation can be quicker and operational efficiencies and customer service can be optimised courtesy of the geographic and network roaming capabilities.

At the device level, a single SIM card slot is no longer a limitation on coverage and resiliency. Devices with two SIM card slots can now be optimised - the second connection can be used as a redundant or failover option, it could be used a maintenance, monitoring or management connection or it could be removed altogether.

BENEFITS OF DEPLOYING IOT PRODUCTS AND SERVICES WITH AN MVNO


Detailed usage & performance reports

ConnectionStatus

Panaromic view of connection portfolio

Notifications and Alerts

Security

DetailedDiagnostics

Self Service

Set Limits

Secure ResilientInfrastructure

Web Portal Business SystemIntegration

!

!

! �!"!!

!! !

�!!

CONNECTIVITY MANAGEMENT PLATFORM


SOME IMPORTANT DECISIONS TO BE MADE DURING PLANNING STAGES.

It is beneficial to check which service providers are available within the target countries. The appropriate tariffs can be selected to allow access to all national networks or perhaps to constrain access to only certain networks. These choices will impact monthly service charges once in-service.

By selecting a tariff which grants access to all networks, a costly on-site signal strength measurement can be avoided. Purchasing higher volumes of just one type of SIM card will help with service provision and costs.


MANAGING CONNECTIVITY IMPROVES OPERATIONS, SECURITY AND FINANCIAL CONTROL

Most MVNO’s will provide a Connectivity Management platform which enables users to securely manage device connections in and out of the system and to monitor data usage. Operational management, reporting and financial forecasting for the entire IoT portfolio can be performed via a single user interface regardless of which networks are actually employed.

Growth : Efficient planning and operations accelerate time to market

• Devices can now be shipped and connect first time out-of-the box• Support for pilot programs and field testing • Billing activation after pre-defined time or data threshold has been reached • De-activate connections to avoid billings on inactive devices

Security : Build an extra security layer into IoT deployments

• Minimise the risk of un-authorised use by setting secure username & passwords• Private IP Addresses – permanent, unique identifiers much like a phone number• Identify rogue device activity or misuse• Suspend problem connections and prevent new data sessions being started

Analysis : Retrieve information quickly. Make smart judgments

• Granular viewpoints – global audit down to individual connections• Display connection data over a period to highlight trends and patterns in usage• Set data alerts & caps. Get early warnings on approach to data limits• Conduct fault analysis by sending PING command to the device

Productivity : Visualise and manage connections

• Create custom filters & graphs based on specific criteria• Powerful graphical filtering & group tagging features provide focussed views• Assess data usage at-a-glance and in real-time• Quickly produce data usage reports ahead of monthly invoices


Secure transfer of user and mission-critical data is an essential aspect in creating IoT systems. The MVNO can make a significant impact on IoT system security by underpinning network security and resiliency, providing secure and private interconnects to both radio access networks and Enterprise systems and by provisioning secure connection features like fixed, private IP addresses.

A critical infrastructure component is the APN (Access Point Name) which is essentially a gateway which interconnects with the Radio Access Networks and the ordinarily the public internet. MVNO’s will typically implement their own private APNs and provide private IP address ranges which keeps IoT data separate from the public internet. This has the benefit of avoiding the security risks associated with the internet and improving system latency.

A single private APN can be provided for each customer. This approach allows all devices to be configured in a common but customer specific way and still allow connection in all countries and all networks.

PRIVATE MVNO INFRASTRUCTURE IMPROVES SECURITY, DEPLOYMENT AND QUALITY OF SERVICE


!!!

Secure, Resilient Radio Network

Private APN

Secure, Resilient Data Network

Customer

! !

!

SECURE RESILIENT NETWORK INFRASTRUCTURE


1 2 3• SIM authentication with MNO

guarantees only genuine devices can connect to M2M network.

• IPsec VPN secures data flow between device and network.

• Arkessa offer fixed IP addresses as standard for no extra cost. This is a unique identifier, much like a mobile phone number.

• SIM theft or hacking is mitigated by Arkessa. Service/usage restrictions can be enforced via EMPort.

• Support for eUICC or “SIM-on-a-chip” is also provided which is an additional physical security layer in itself.

• Security and Resiliency is achieved courtesy of a comprehensive architectural provisioning.

• Dual interconnects between Arkessa’sM2M platform and the mobile networks ensures that if an interconnect fails, automatic failover maintains data flow via the alternative route.

• Arkessa’s platform is itself hosted in multiple data centres, providing complete resilience even in the event of data centre outage.

• All mobile networks connect with our M2M platform via Arkessa specific or customer Private APNs, meaning that at no point is the data transferred across the Internet.

• Dual interconnects between Arkessa’splatform and the customer Enterprise networks ensure that if an interconnect fails, automatic failover maintains data flow via the alternative route.

• IPsec, SSL or TLS virtual private network (VPN) connections are used to secure interconnections.

• The customer can exert control and limits on usage and service via there preferred business systems once integrated with EMPort :• Data authentication & accounting• Usage alerts and reporting• Limits on service. Caps on usage• Deactivation of connections


NETWORK AGNOSTIC MVNO’S PROVIDE MORE RELIABLE CONNECTIVITY, REDUCE THE NEED FOR SITE VISITS AND HELP PRESERVE BATTERY LIFE IN IOT DEVICES

Most Mobile Network Operators (MNO’s) will attempt to orchestrate network connections onto home or roaming partner networks. For consumer devices, like smartphones or tablets this is arguably the best policy but for IoT devices this kind of approach can lead to unreliable connectivity and consume power un-necessarily – a critical issue for battery operated devices.


Network access can be controlled via policies and lists contained in the SIM card. This allows networks to be blocked, it allows network access to be prioritised or ‘steered’. Most MNOs will prioritise their own networks out of commercial interest but also to ensure that they can best deliver on the customer service level agreement (SLA) and bill at the agreed rates. This results in ‘steering’ of the connection not only at power-on but at regular periodic intervals thereafter.

For smartphones and tablets the user is in direct possession and control of the device and can therefore easily identify and often enough manage any discontinuities in connectivity. (switch to WiFi for example).

For IoT devices, often mobile, often deployed in basements, stairwells, situated in congested city environments or off the beaten track and regularly deployed multi-nationally this situation is inevitably troublesome.

• IoT devices are almost always un-manned. Connectivity issues have to be identified and managed remotely.

• Repeated attempts at ‘steering’ the connection back to home or prioritised networks will consume energy and drain the battery.

• Lack of flexibility or limits on network access will complicate deployment planning, slow time-to-market and make it more difficult to manage costs – bill shock is often the result.

SOURCES OF UNRELIABILITY IN NETWORK ACCESS


IOT SPECIALISTS

MVNOs like Arkessa will provide specialist M2M and IoT support pre- and post-sales. This expertise will enable the optimal decisions to be made regarding network (single or multiple, in country or multi-national) and tariff choices to be made. In service, specialist support personnel will help with management and troubleshooting. EMPort, the Arkessa Connectivity Management platform provides users with the ability to monitor, manage and control their IoT portfolio for themselves.Arkessa connect with more than 540 mobile networks in more than 200 countries. By aggregating all mobile networks into a single managed service Arkessa will help put you in control of your mobile network planning and deployment. Managing them all from one place through one provider gives you the flexibility, reliability and coverage you need without the hassle of forming numerous relationships with service providers around the world.

[email protected]

WP Multi-Network M2M communication platform …...Multi-Network M2M communication platform for...

Documents

Transcript of WP Multi-Network M2M communication platform …...Multi-Network M2M communication platform for...